Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24351
HistoryJul 29, 2010 - 12:00 a.m.

Foofus.net Security Advisory: Symantec AMS Intel Alert Handler service Design Flaw

2010-07-2900:00:00
vulners.com
8
JSON

==================================================
Foofus.net Security Advisory: foofus-20100726

Title: Symantec Antivirus Corporate Edition AMS Intel Alert Handler

Version: 10.1.8.8000 and earlier

Vendor: Symantec

Release Date: 26.07.2010

Issue Status: Reported To Vendor on 01/06/2010

==================================================

  1. Summary:

Alert Management Service (AMS2) is a service used to setup, manage and report

alerts within legacy Symantec Antivirus Corporate Edition products.

==================================================

  1. Description:

The Intel Alert Handler service (hndlrsvc.exe) provides alert setup and response

capabilities to AMS2. A design error in Symantec's implementation of this function

allows an attacker who can establish a TCP connection to port 38292, on a vulnerable

host to execute commands at system level on that host.

No special exploit code is needed to carry out this attack, by leveraging the AMS

server console tool an attacker can setup an alert response to run a command on a

vulnerable system without authenticating. The AMS server console can also be used

to remotely trigger the alert causing the command to execute at system level.

==================================================

  1. Impact:

Exploiting this allows an adversary to execute code on a vulnerable system with out

authenticating

==================================================

  1. Affected Products:

All version of Symantec SAVCE with AMS server installed, or Symantec System CenterConsole

with AMS plugin installed are vulnerable to this exploit.

==================================================

  1. Solution:

    a. Uninstall Symantec System Center. It is advised that any system vulnerable to

    this exploit have all Symantec products uninstalled and reinstalled. Uninstalling

    the AMS plugin from an affected installation will not remove the vulnerability.

    b. Uninstall AMS server

    c. Disable Alert Handler (hndlrsvc.exe) service

    d. Also upgrade to the latest version of Symantec Endpoint Protection

==================================================

6) Time Table:

01/06/2010 Reported Vulnerability to Vendor.

01/11/2010 Vendor acknowledged Receiving report

01/12/2010 Vendor Tried to convince me that this was XFR.exe issue

07/26/2010 Publishes Advisory

==================================================

7) Credits: Discovered by SPIDER

==================================================

  1. Reference:

http://www.foofus.net/?page_id=149

==================================================

The Foofus.Net team is an assortment of security professionals located somewhere

in the Midwestern United States. http://www.foofus.net

==================================================

JSON